Page 1 of 2 12 LastLast
Results 1 to 16 of 21

Thread: Infected Hard Disk - Reformat

  1. #1
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Infected Hard Disk - Reformat

    Hi all, not sure if this is the right section and so if it isn't, please do move this thread.

    My friend's laptop has been infected with lots of spyware (a scan revealed she had over 20 trojans in there). Given the severity of the issue, I was planning to help her reformat the hard disk and reinstall everything again.

    The questions are:

    1. Does reformatting the hard disk remove all spyware? I presume it would but I heard reformatting doesn't clean all the data and you need go for a few passes but I am not sure how I truly erase the hard disk if I am reformatting hard disks in totallity.

    2. As you may know, laptops dont have setup disks anymore and only a recovery partition on the hard disk. Presumably if I reinstall from that, there wouldn't be any trojans or spyware as it is a different partition?

    Many thanks all for your help.

  2. #2
    Member
    Join Date
    Mar 2010
    Posts
    102
    Thanks
    0
    Thanked
    13 times in 13 posts

    Re: Infected Hard Disk - Reformat

    1. Format will remove all spyware.
    2. There is no guarantee that the recovery partition is also spyfree. Make sure you do not format the recovery partition.

    I would recommend that you boot into the laptop with a live CD and backup all documents and photos (or even image the whole drive) to external storage.

    Then start playing around with the recovery.

  3. Received thanks from:

    usxhe190 (29-09-2010)

  4. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    888
    Thanks
    0
    Thanked
    32 times in 29 posts

    Re: Infected Hard Disk - Reformat

    The only situation I could see malware possibly returning from a formatted drive is if you were to run some file recovery software at a later date. I would just run a regular format and restore the image in this situation. The malware is more likely to corrupt or delete the restorable image to prevent recovery than it is to infect it.

  5. Received thanks from:

    usxhe190 (29-09-2010)

  6. #4
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    Thank you for your help. Unfortunately, my friend never backup an image of the disk while it was still free from spyware. The only source of Windows and associated drivers are in the recovery partition.

  7. #5
    Environ'mentalist Zadock's Avatar
    Join Date
    Nov 2007
    Location
    Pembroke
    Posts
    1,386
    Thanks
    104
    Thanked
    101 times in 83 posts
    • Zadock's system
      • Motherboard:
      • Asus Z77
      • CPU:
      • Intel Core i5 3570K
      • Memory:
      • Corsair Corsair Vengeance 8Gb (1600Mhz)
      • Storage:
      • Samsung 500GB HD501LJ Spinpoint T, SATA300, 7200 rpm
      • Graphics card(s):
      • XFX HD6950 2GB
      • PSU:
      • Corsair 520W HX Series Modular Powersupply
      • Case:
      • Antec Nine Hundred
      • Operating System:
      • Windows 7 64 HP
      • Monitor(s):
      • Samsung 27" LED
      • Internet:
      • BT

    Re: Infected Hard Disk - Reformat

    I would also point your friend in the direction of ther hexus freewae list. There are a number of programmes there that could help prevent the same thing happening in the future

    Personally I'm a fan of the spybot and spyware blaster combination. Malware bytes is also very useful.
    ___________________________________________________________

    System 1: Case: Antec 900 Motherboard: Asus Z77 CPU: Core i5 3570K @3.4GHz RAM:8Gb DDR3 1600Mhz GFX: XFX AMD Radeon 6950 2Gb (Cayman) HDD: Samsung Spinpoint 500GB O/S: Windows 7 64bit Home Premium

    System 2: Lenovo Ideapad S205: AMD E350 APU (1.6Ghz), 2Gb 1066Mhz DDR3, Radeon HD6310 (integrated), 250Gb HDD, Windows 7 64Bit Home Premium

    System 3:Asus Eee 901: 12Gb Ubuntu 10.10 Gnome Desktop edition


  8. Received thanks from:

    usxhe190 (29-09-2010)

  9. #6
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    Thanks Zadock. she actually had spybot and superantispyware and a good antivirus installed.

    Unfortunately for her, I think she clicked and downloaded the wrong file or something like that.

  10. #7
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Manchester
    Posts
    15,032
    Thanks
    1,193
    Thanked
    2,242 times in 1,844 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 1x 8GB DDR4 2400
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: Infected Hard Disk - Reformat

    Quote Originally Posted by usxhe190 View Post
    she actually had spybot and superantispyware and a good antivirus installed.
    But has she kept them updated? No antivirus is any use if its out of date

    As someone said earlier, there's no guarantee that the recovery partition is malware free, but I don't think you've got a lot of choice in terms of restoring the laptop - you're going to have to use the built in restore tools. My guess is that there'll be a key to press during POST that will then boot from the recovery partition and effectively start the Windows install process: you should be able to choose to format the old system partition during setup and do a clean reinstall.

    Once you've done that, find out how to make recovery DVDs (I'm sure there will be a way - I've not met a laptop in the last 5 years that didn't let you) and make some, so next time you can nuke the entire hard drive and restore from the recovery disks instead!

  11. Received thanks from:

    usxhe190 (29-09-2010)

  12. #8
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    Thanks scaryjim. Definitely will do that! You are right, maybe she didn't keep those things up to date although her antivirus should auto update. Let's see how things go!

  13. #9
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Manchester
    Posts
    15,032
    Thanks
    1,193
    Thanked
    2,242 times in 1,844 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 1x 8GB DDR4 2400
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: Infected Hard Disk - Reformat

    One other thing you might want to try, if you can get hold of a suitable adapter, is to mount the hard drive on another computer and do a virus sweep on the recovery partition. You'll need a USB - SATA adapter, or you could connect it to a spare SATA port on your motherboard...

  14. Received thanks from:

    usxhe190 (29-09-2010)

  15. #10
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    Thanks, will try that too

  16. #11
    Member
    Join Date
    Mar 2010
    Posts
    102
    Thanks
    0
    Thanked
    13 times in 13 posts

    Re: Infected Hard Disk - Reformat

    The problems with getting spyware/malware on the operating system is that you can never trust that OS again.

    Have you tried to contact the laptop manufacturer and ask for a OS/Recovery disk?

  17. Received thanks from:

    usxhe190 (30-09-2010)

  18. #12
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    ChaosSystem, that's a good idea. Let me try that.

  19. #13
    Senior Member oolon's Avatar
    Join Date
    Mar 2007
    Location
    London
    Posts
    2,294
    Thanks
    150
    Thanked
    302 times in 248 posts
    • oolon's system
      • Motherboard:
      • Asus P6T6
      • CPU:
      • Xeon w3680
      • Memory:
      • 3*4GB Kingston ECC
      • Storage:
      • 160GB Intel G2 SSD
      • Graphics card(s):
      • XFX HD6970 2GB
      • PSU:
      • Corsair HX850
      • Case:
      • Antec P183
      • Operating System:
      • Windows 7 Ultimate and Centos 5
      • Monitor(s):
      • Dell 2408WFP
      • Internet:
      • Be* Unlimied 6 down/1.2 up

    Re: Infected Hard Disk - Reformat

    Assuming you have to work with what you got on your recovery partition. First image the drive, copy the data off the drive (scan it using a clean computer), this way any mistake will not be critical. Ether do this with a live disk or do this using another computer... if you use another computer make sure you don't boot from it by mistake otherwise you will infect that one too! When you have imaged it, use an external computer to anti virus scan the complete drive. Put it back in the old computer, and do a restore, now take it out again, and use your other computer to scan it again, if its all good, burn the recovery CDs/DVDs, then do a restore from them, take the drive out one last time to do an external anti-virus scan, put the data back and your done.

    If your feeling lucky, use the infected computer to burn the recovery CDs/DVD, image the drive, take the data off it (scan the data using a clean computer), do a recovery from the media you created, do an external Antivirus scan using another computer, put the data back, and your done. This is what I normally do, never had an infected recovery media yet.

    Always image the drive first, 2TB drives are cheap, losing someone data is not. I bought a new drive just to do a recovery and managed to blow up the external drive, however as I had the image this was just embarrassing, not critical. I normally keep a copy of the persons data and the drive image on seperate drives, also I unplug the drive with the image on it after I have taken to make sure it nice and safe. Always have a customers data in two different places at the same time. Preferably one of them off line.

    As to reformatting the drive as long as the files are not addressable any more it does not matter if they exist as they will never be seen again. Multiple passes with random data are not necessary, these are to prevent someone using forensic tools to recover data. Even a quick format will mean your OS will never think the data was ever there, if you really worry a single pass with zeros is fine.
    Last edited by oolon; 30-09-2010 at 11:18 AM.
    (\__/) All I wanted in the end was world domination and a whole lot of money to spend. - NMA
    (='.*=)
    (")_(*)

  20. Received thanks from:

    usxhe190 (30-09-2010)

  21. #14
    Admin team peterb's Avatar
    Join Date
    Aug 2005
    Location
    Southampton
    Posts
    19,322
    Thanks
    2,874
    Thanked
    3,379 times in 2,676 posts
    • peterb's system
      • Motherboard:
      • Nascom 2
      • CPU:
      • Z80B
      • Memory:
      • 48K 8 bit memory on separate card
      • Storage:
      • Audio cassette tape - home built 5.25" floppy drive
      • Graphics card(s):
      • text output (composite video)
      • PSU:
      • Home built
      • Case:
      • Home built
      • Operating System:
      • Nas-sys
      • Monitor(s):
      • 12" monocrome composite video input
      • Internet:
      • No networking capability on this machine

    Re: Infected Hard Disk - Reformat

    As Oolon says. "Formatting" a disk is a misnomer. What you are doing is making a file system on the disk, that is creating a blank master file table. This effectively removes all the pointers to the existing files.

    There is one thing to be careful about and that is boot sector files, because making a new file system does not overwrite the boot sector (or the remaining sectors in that track so malware can reside there. So from that perspective, overwriting the first 63 sectors on the disk would be a sensible precaution. Easiest way is to boot from a linux live CD and then

    Code:
    dd if=/dev/zero of=/dev/xxx bs=512 count=63
    where xxx is the hard drive (probably hda or sda - but you need to check)

    This will write zeros to the first 63 sectors with zero
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  22. Received thanks from:

    usxhe190 (30-09-2010)

  23. #15
    Senior Member usxhe190's Avatar
    Join Date
    Sep 2007
    Posts
    1,688
    Thanks
    149
    Thanked
    82 times in 63 posts

    Re: Infected Hard Disk - Reformat

    Thank you very much oolon and peterb!

  24. #16
    Registered User
    Join Date
    Jul 2003
    Location
    Cornwall/Weston-Super-Mare
    Posts
    5,337
    Thanks
    438
    Thanked
    309 times in 262 posts
    • Behemoth's system
      • Motherboard:
      • Gigabyte mATX
      • CPU:
      • Phenom 2 X2 555 BE
      • Memory:
      • 8 Gig DDR3 Corsair XMS 3 1600 MHz
      • Storage:
      • 4 TB's Storage
      • Graphics card(s):
      • Gigabyte GTX 460 OC2
      • PSU:
      • OCZ StealthStream 2 600 Watt
      • Case:
      • Silverstone TJ08-E
      • Operating System:
      • Windows 7 64 Bit
      • Monitor(s):
      • HP x23LED
      • Internet:
      • BT Broadband

    Re: Infected Hard Disk - Reformat

    Buying the recovery media from the manufacturer will normally cost about £30. If you've got a copy of the os that laptop came installed with from the factory I'd personally just use a vanilla OEM Windows disc of the same version that it was installed with and use the key from the bottom of the laptop.

    Then get all the drivers on the net for whoever made the laptop.

  25. Received thanks from:

    usxhe190 (30-09-2010)

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Hard Disk Enclosure Advice
    By amjedm in forum PC Hardware and Components
    Replies: 14
    Last Post: 09-07-2009, 05:00 PM
  2. hard disk failure
    By ArtAddiction in forum SCAN.care@HEXUS
    Replies: 3
    Last Post: 21-06-2009, 05:22 PM
  3. Possible IO / Hard Disk Drive / Motherboard Issue
    By Jonny M in forum SCAN.care@HEXUS
    Replies: 18
    Last Post: 05-08-2006, 05:30 PM
  4. Possible IO / Hard Disk Drive / Motherboard Issue
    By Jonny M in forum PC Hardware and Components
    Replies: 10
    Last Post: 28-07-2006, 12:18 AM
  5. Question about Xclio Hard Disk Cooler
    By YorkieBen in forum SCAN.care@HEXUS
    Replies: 15
    Last Post: 17-07-2006, 11:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •